[openssl-users] Failure using ECDH-RSA-AES256-SHA with ssl3 on Master Branch

Linsell, StevenX stevenx.linsell at intel.com
Thu Mar 19 11:18:08 UTC 2015

I am trying to use ECDH-RSA-AES256-SHA with ssl3 with s_client and s_server on the master branch. (cloned at commit f7683aaf36341dc65672ac2ccdbfd4a232e3626d) and then retested  with a more recent clone: (commit da27006df06853a33b132133699a7aa9d4277920).
We are running a test suite that tests all supported cipher and protocol combinations and this test is part of that suite.
Our test suite is failing with an unmodified build of OpenSSL with the following commands:-

./openssl s_server -cert prime256v1-rsaTestServer.cert.pem -key prime256v1-rsaTestServer.key.pem -WWW -accept 4411 -cipher ECDH-RSA-AES256-SHA -nbio -ssl3 -debug -state

echo "GET /file_1byte.html HTTP/1.0" | ./openssl s_client  -host localhost -port 4411 -cipher ECDH-RSA-AES256-SHA -ssl3 -ign_eof -debug -state

The output from s_client is:-

SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL3 alert read:fatal:handshake failure
SSL_connect:failed in SSLv3 read server hello A
139749978326688:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1482:SSL alert number 40
139749978326688:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:664:
write to 0x1284120 [0x128e913] (52 bytes => 52 (0x34))
0000 - 16 03 00 00 2f 01 00 00-2b 03 00 af 73 f8 85 b4   ..../...+...s...
0010 - 01 5f d4 79 66 4e 94 fa-bf e7 5e 5b 19 75 c8 5f   ._.yfN....^[.u._
0020 - 44 73 bb bd 47 8c 23 57-01 c0 1a 00 00 04 c0 0f   Ds..G.#W........
0030 - 00 ff 01                                          ...
0034 - <SPACES/NULS>
read from 0x1284120 [0x128a3c3] (5 bytes => 5 (0x5))
0000 - 15 03 00 00 02                                    .....
read from 0x1284120 [0x128a3c8] (2 bytes => 2 (0x2))
0000 - 02 28                                             .(
no peer certificate available

The output from s_server is:-

Using default temp DH parameters
turning on non blocking io
SSL_accept:before/accept initialization
read from 0x21b32b0 [0x21b7993] (5 bytes => 5 (0x5))
0000 - 16 03 00 00 2f                                    ..../
read from 0x21b32b0 [0x21b7998] (47 bytes => 47 (0x2F))
0000 - 01 00 00 2b 03 00 aa 75-39 f4 b5 78 46 3e 8c cb   ...+...u9..xF>..
0010 - a9 18 92 01 cd 24 cf fd-7b a7 de 29 7c b8 d9 bc   .....$..{..)|...
0020 - c4 62 1c c5 33 7f 00 00-04 c0 0f 00 ff 01         .b..3.........
002f - <SPACES/NULS>
write to 0x21b32b0 [0x21c6910] (7 bytes => 7 (0x7))
0000 - 15 03 00 00 02 02 28                              ......(
SSL3 alert write:fatal:handshake failure
SSL_accept:error in SSLv3 read client hello C
139792107542176:error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher:s3_srvr.c:1366:

I am using an ECC test certificate that uses curve prime256v1 and is signed with an rsa2k key.
The cert/key were generated using RSAcertgen.sh followed by ECC-RSAcertgen.sh modified only for the curve and RSA key size I am using.
Here is a dump of the certificate:
./openssl x509 -in prime256v1-rsaTestServer.cert.pem -text -noout
        Version: 1 (0x0)
        Serial Number: 16838786626002069798 (0xe9af63387b73a926)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=CA, L=Mountain View, O=Sun Microsystems, Inc., OU=Sun Microsystems Laboratories, CN=Test CA (2048 bit RSA)
            Not Before: Mar 13 11:38:21 2015 GMT
            Not After : Apr 21 11:38:21 2019 GMT
        Subject: C=US, ST=CA, L=Mountain View, O=Sun Microsystems, Inc., OU=Sun Microsystems Laboratories, CN=Test Server (prime256v1 key signed with RSA)
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                ASN1 OID: prime256v1
                NIST CURVE: P-256
    Signature Algorithm: sha256WithRSAEncryption

Running the exact same s_server/s_client commands above with either the system openssl (1.0.0o) or the baseline we normally release against (1.0.1l) works fine.
Running on the master branch with the same certificate and commands above but with tls1, tls1_1 or tls1_2 works perfectly, only ssl3 fails.
Running with a sect163r1 curve signed with an rsa1k key also produces the same failure.
My build is as follows:
./openssl version -a
OpenSSL 1.1.0-dev xx XXX xxxx
built on: reproducible build, date unspecified
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) 
OPENSSLDIR: "/usr/local/ssl"

As you can see the only flag I have enabled (apart from -g while debugging) is -DOPENSSL_TLS_SECURITY_LEVEL=0. We need this flag to allow some of the older cipher suites we test against but the issue is seen with or without that flag defined.

I'm not overly familiar with the master branch as we do not normally build against it so my real question is whether I am doing something wrong in terms of configuration on the master branch (is there a flag I need to enable to allow ECDH-RSA with ssl3 that I haven't spotted?) or is this a genuine bug?

Single stepping through the code I can see the failure is occurring in tls1_check_ec_key when it is called from tls1_check_cert_param.
It appears to go around a for loop (j) twice. The first time through it correctly matches the curve it is looking for. The second time round the list is empty and 0 is returned. This failure causes the Elliptical curve cert not to be declared as valid and consequently the handshake fails with the no shared cipher message.
I don't have a good understanding of how the certificate code works so I haven't managed to debug any further than that in order to determine why the second time round the loop the list is empty.

Steve Linsell                                     Intel Shannon DCG/CID Software Development Team
Stevenx.Linsell at intel.com                              

Intel Shannon Limited
Registered in Ireland
Registered Office: Collinstown Industrial Park, Leixlip, County Kildare
Registered Number: 308263
Business address: Dromore House, East Park, Shannon, Co. Clare

This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies.

More information about the openssl-users mailing list